Using Chocolatey Packages For More Than Just Software Installation!
Using Chocolatey Packages For More Than Just Software Installation!
By Derek Walker |
Posted Wednesday, February 5, 2025 Chocolatey CLI is well-known for installing and managing software, but it can be used to automate in a lot of different ways. A customer recently used Chocolatey CLI to deploy a Windows hardening baseline.
Beyond Software: The Versatility of Chocolatey Packages!
Chocolatey CLI isn’t just a package manager for Windows software. It’s an automation tool. Here’s why Chocolatey CLI is a great choice for more than just installing software:
- Automation: The scripting capabilities of Chocolatey packages allow automation of complex tasks.
- Consistency: Deploying scripts or configurations as Chocolatey packages guarantees uniform deployment across systems.
- Integration: Chocolatey CLI can be used with tools such as CI/CD pipelines and configuration management tools to simplify automation and reduce administrative overhead.
A hardening baseline is a set of security configurations that can be applied to a system to reduce its attack surface. An example script can be found on the PowerShell Gallery.
In this post we will show you how you can use Chocolatey CLI to deploy a Windows client hardening script, demonstrating its versatility beyond just software installation.
Why Use Chocolatey for Script Deployment?
Chocolatey CLI provides a simple way to package and distribute scripts, making it easy to deploy configurations or automation tasks across multiple machines. This is particularly useful in environments where consistency and repeatability are crucial. With Chocolatey CLI, you can also manage dependencies, ensuring that any required tools or libraries are available before executing your main script. Packages are also versioned, making it easy to roll back changes if needed.
Case Study: Deploying a Windows Client Hardening Script
Let’s explore how a Chocolatey package can be used to apply a Windows client hardening script.
Step 1: Create Your Script
First, create a PowerShell script that applies the necessary settings for hardening a Windows client. For example, windows-client-hardening.ps1 might include security configurations like disabling SMBv1, enabling Windows Defender, and configuring firewall rules.
Step 2: Set Up the Chocolatey Package Structure
Organize your package by creating the necessary directory structure:
choco-windows-client-hardening
│ choco-windows-client-hardening.nuspec
└───tools
│ chocolateyInstall.ps1
│ chocolateyUninstall.ps1
│ windows-client-hardening.ps1
Step 3: Define the Package Metadata
The .nuspec file contains metadata about your package. Here’s an example:
<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
<metadata>
<id>choco-windows-client-hardening</id>
<version>0.0.1</version>
<title>Windows Client Hardening</title>
<authors>Chocolatey Software</authors>
<tags>windows-client-hardening script tutorial</tags>
<summary>Windows Client Hardening</summary>
<description>Windows client hardening</description>
</metadata>
<files>
<!-- this section controls what actually gets packaged into the Chocolatey package -->
<file src="tools\**" target="tools" />
</files>
</package>
Step 4: Write the Installation Script
The chocolateyInstall.ps1 script will execute your hardening script:
$ErrorActionPreference = 'Stop'
$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$script = Join-Path -Path $toolsDir -ChildPath 'windows-client-hardening.ps1'
Write-Verbose "Executing script: $script"
& $script
:choco-info: NOTE
You can edit the
chocolateyUninstall.ps1script to reverse any changes made by your hardening script. This is optional but recommended for a complete package. If you choose not to implement an uninstall script, this file can be removed as it is not needed.
Step 5: Pack and Push Your Package
Use Chocolatey CLI to pack your package:
choco pack choco-windows-client-hardening.nuspec
Then push your package to a repository. For something like a hardening baseline this would be an internally hosted repository:
choco push choco-windows-client-hardening.0.0.1.nupkg --source <YOUR_REPOSITORY_URL>
With your package ready, you can now deploy it to any machine using Chocolatey CLI:
choco install choco-windows-client-hardening
Updating the Package
Updating the package is straightforward. Modify your script, update the version in the .nuspec file, and repeat the packing and pushing process. This can even be automated with a CI/CD pipeline.
Broader Applications
The same approach applies to various other tasks:
- Configuration Management: Deploy system configurations, environment settings, or network policies.
- Maintenance Scripts: Automate regular maintenance tasks like cleanup scripts, backups, or performance optimizations.
- Custom Deployments: Roll out custom software setups or proprietary tools specific to your organization.
I Have Questions!
Check the Chocolatey Packaging FAQ for more information, or reach out for community assistance on our Community Hub.
Wrap Up
In this post we covered a unique way Chocolatey packages can be used to help in your automation efforts.
If you have any more questions, please reach out for community assistance on our Community Hub.
Written By:
Derek Walker
Infrastructure Operations Engineer
Derek is an Infrastructure Operations Engineer at Chocolatey Software. He likes working in AWS and on automation projects.
Popular Tags
- #news 72 Number of post with tag news
- #press release 57 Number of post with tag press release
- #chocolatey for business 47 Number of post with tag chocolatey for business
- #packaging 22 Number of post with tag packaging
- #open source 18 Number of post with tag open source
- #tutorial 16 Number of post with tag tutorial
- #community 15 Number of post with tag community
- #12 days of Chocolatey 2023 12 Number of post with tag 12 days of Chocolatey 2023
- #chocolatey community repository 12 Number of post with tag chocolatey community repository
- #podcast 12 Number of post with tag podcast
